Résumé du contenu de la page N° 1
Polycom, Inc.
VSX 3000, VSX 5000, and VSX 7000s
(Firmware version: 8.5.0.2)
FIPS 140-2
Non-Proprietary Security Policy
Level 1 Validation
Document Version 1.0
Prepared for: Prepared by:
Polycom, Inc. Corsec Security, Inc.
4750 Willow Road 10340 Democracy Lane, Suite 201
Pleasanton, CA 94588-2708 Fairfax, VA 22030
Phone: 1.800.POLYCOM Phone: (703) 267-6050
Fax: (925) 924-6100 Fax: (703) 267-6810
http://www.polycom.com http://www.corsec.com
© 2007 Polycom, Inc.
Résumé du contenu de la page N° 2
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Revision History Version Modification Date Modified By Description of Changes 1.0 2007-06-15 Xiaoyu Ruan Release version. Polycom VSX 3000, VSX 5000, and VSX 7000s Page 2 of 23 © 2007 Polycom, Inc. - This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Résumé du contenu de la page N° 3
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Table of Contents 0 INTRODUCTION ...............................................................................................................................................5 0.1 PURPOSE.........................................................................................................................................................5 0.2 REFERENCES.............................................................................
Résumé du contenu de la page N° 4
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 TABLE 4 - MAPPING OF FIPS 140-2 LOGICAL INTERFACES TO VSX 7000E INTERFACES..............................................12 TABLE 5 - MAPPING OF FIPS 140-2 LOGICAL INTERFACES TO VSX 7000S INTERFACES..............................................13 TABLE 6 - MAPPING OF FIPS 140-2 LOGICAL INTERFACES TO VSX 8000 INTERFACES................................................15 TABLE 7 - MAPPING OF CRYPTO-OFFICER’S SERVICES TO INPUTS, OUTPUTS
Résumé du contenu de la page N° 5
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 0 Introduction 0.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the VSX 3000, VSX 5000, and VSX 7000s from Polycom, Inc.. This Security Policy describes how the VSX 3000, VSX 5000, and VSX 7000s meet the security requirements of FIPS 140-2 and how to run the module in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the module. FIPS 140-2 (Federa
Résumé du contenu de la page N° 6
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 1 VSX 3000, VSX 5000, and VSX 7000s 1.1 Overview Founded in 1990, Polycom is the only company delivering end-to-end rich media collaborative applications for voice, video, data and the web. Polycom has a wide range of products from desktop and mobile personal systems to room systems to the network core. Polycom’s full range of high-quality voice and video communications endpoints, video management software, web conferencing soft
Résumé du contenu de la page N° 7
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Figure 2 - VSX 5000 The VSX 7000s is another set-top appliance which provides for a mechanical pan, tilt, zoom camera. The VSX 7000s supports H.323 networks with a internal NIC support 10/100mbps.. The VSX 7000 supports a subwoofer into which the optional Network Interface Card to support ISDN, V.35, RS-499 or RS-530 interfaces. . The VSX 7000s uses an external microphone array and has an internal audio reproduction system
Résumé du contenu de la page N° 8
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Figure 5 - VSX 8000 Per FIPS PUB 140-2, the VSX 3000, VSX 5000, and VSX 7000s are classified as multi-chip standalone cryptographic modules and validated at the following FIPS 140-2 Section levels: Table 1 - Security Level Per FIPS 140-2 Section Section Section Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 1 4 Finite State Model 1 5 Phy
Résumé du contenu de la page N° 9
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 • LAN connector – For IP calls, VSX Web, and remote management • Power connector – For power supply • Power switch for the codec – (one of three) • VGA connector – For Personal Computer (PC) to use system as a computer monitor and for passing the video image from the VGA input connector to a display device • LCD Screen – Screen for video conferencing • IR Sensor – Input from IR sensor • Speaker – Built-in speaker • Camera
Résumé du contenu de la page N° 10
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 • LAN connector – For IP calls, VSX Web, and remote management • Conference link connector – For microphone pod, SoundStation VTX 1000, or Visual Concert VSX • VGA connector – VGA connector for input and passes the video image for monitor or projector • VCR/DVD inputs – For VCR/DVD to play content into calls • Power switch – To power up or down the device • Audio connectors – For main monitor audio, or for external speaker syste
Résumé du contenu de la page N° 11
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 FIPS 140-2 Logical Interface VSX 3000, VSX 5000, and VSX 7000s Port/Interface Power Power connector The following is the list of ports and interfaces for the VSX 7000e system and Figure 8 below shows the ports on module’s back panel. • Network interface bay – For network interface module (for BRI, PRI, and V.35/RS-449/RS-530 connection) • VCR/DVD connector – Play VCR/DVD content into calls or record the calls to VCR/DVD • Au
Résumé du contenu de la page N° 12
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Figure 8 - VSX 7000e Back Panel Section 1 of the Administrator’s Guide for the VSX Series lists the connection cables required for the VSX 7000e system. The following table maps VSX 7000e interfaces with FIPS 140-2 logical interfaces. Table 4 - Mapping of FIPS 140-2 Logical Interfaces to VSX 7000e Interfaces FIPS 140-2 Logical Interface VSX 3000, VSX 5000, and VSX 7000se Port/Interface Data Input Network interface bay, VCR/DV
Résumé du contenu de la page N° 13
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 • LAN connector – For IP calls, VSX Web, and remote management • Conference link connector – For microphone pod, SoundStation VTX 1000, or Visual concert VSX • VGA connector – Output from system for VGA monitor or projector • VCR/DVD connector – Play VCR/DVD connect into calls or record call content • Power switch • S-Video connector – Input from camera or output to S-Video monitor • Audio connector – Output from system
Résumé du contenu de la page N° 14
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 • Network interface bay – For network interface module (for BRI, PRI, and V.35/RS-449/RS-530 connection) • Balanced Audio connector – Input for mixed or powerful microphones or output for external audio equipment • VCR/DVD connector – Play VCR/DVD content into calls or record the calls to VCR/DVD • Serial ports – RS-232 port for touch panel, camera control, or other RS-232 device • Monitor 1Y and C – output for main monitor
Résumé du contenu de la page N° 15
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Figure 10 - VSX 8000 Back Panel Section 1 of the Administrator’s Guide for the VSX Series lists the connection cables required for the system. The following table maps VSX 8000 interfaces with FIPS 140-2 logical interfaces. Table 6 - Mapping of FIPS 140-2 Logical Interfaces to VSX 8000 Interfaces FIPS 140-2 Logical Interface VSX 3000, VSX 5000, and VSX 7000s Port/Interface Data Input Network interface bay, Balanaced Audio conne
Résumé du contenu de la page N° 16
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 1.4 Roles and Services The modules support two authorized roles (as required by FIPS 140-2) that operators may assume: a Crypto Officer role and User role. 1.4.1 Crypto-Officer Role The Crypto-Officer (CO) installs and uninstalls the cryptographic module. Also, the CO is responsible for monitoring and configuring the modules and call settings. The Crypto-Officer can manage the VSX modules over a Transport Layer Security (TLS) v
Résumé du contenu de la page N° 17
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Service Description Input Output CSP and Access Control Secured call on IP Placing secured call on Command and calling Connection established Diffie-Hellman key network IP network via LAN information pairs – Read port IP Encryption Key – Read/Write Secured call on ISDN Placing secured call on Command and calling Connection established Diffie-Hellman key ISDN via BRI/PRI information pairs – Read port ISDN Encryption Key – Re
Résumé du contenu de la page N° 18
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Key Key Type Generation / Output Storage Zeroization Use Input x.509 certificate 1024 bits RSA Generated Output in Stored in Flash Erasing the flash Authenticates the (RSA Public public key externally, input plaintext in plaintext image module during key) in plaintext TLS handshake RSA Private key 1024 bits RSA Generated Never exits the Stored in Flash Erasing the flash Authenticates the private key externally, input module in
Résumé du contenu de la page N° 19
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 1.7.3 Key Storage The RSA public/private key pair and Integrity Check Key are stored in the modules’ flash drives in plaintext form. The Session Key, IP Encryption Key, ISDN Encryption Key, DH public/private key pair, and PRNG seed are held in volatile memory in plaintext. 1.7.4 Key Zeroization The RSA key pair is zeroized by overwriting the flash image. The Session Key, IP Encryption Key, ISDN Encryption Key, Diffie-Hellman (DH
Résumé du contenu de la page N° 20
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 2 Secure Operation The VSX 3000, VSX 5000, and VSX 7000s meet Level 1 requirements for FIPS 140-2. The sections below describe how to place and keep the module in FIPS-approved mode of operation. 2.1 Crypto-Officer Guidance The Crypto-Officer is responsible for initialization and security-relevant configuration and management of the module through the web management interface, serial port from a non networked PC, or secure Telnet